Veracode Volnerability issue in FusedLocationProvider.java

Environment

System: OS: macOS 12.3.1 CPU: (8) arm64 Apple M1 Memory: 114.89 MB / 16.00 GB Shell: 5.8 - /bin/zsh Binaries: Node: 16.15.0 - /usr/local/bin/node Yarn: Not Found npm: 8.3.2 - ./node_modules/.bin/npm Watchman: Not Found Managers: CocoaPods: 1.11.3 - /usr/local/bin/pod SDKs: iOS SDK: Platforms: DriverKit 21.4, iOS 15.5, macOS 12.3, tvOS 15.4, watchOS 8.5 Android SDK: Not Found IDEs: Android Studio: 2021.2 AI-212.5712.43.2112.8609683 Xcode: 13.4/13F17a - /usr/bin/xcodebuild Languages: Java: 14.0.2 - /usr/bin/javac npmPackages: @react-native-community/cli: Not Found react: 17.0.2 => 17.0.2 react-native: 0.68.0 => 0.68.0 react-native-macos: Not Found npmGlobalPackages: react-native: Not Found

Platforms

Is this issue related to Android, iOS, or both ? Android only

Versions

Please add the used versions/branches

Android: Target is 31
react-native-geolocation-service: 5.3.0-beta.4
react-native: 0.68.0
react: 17.0.2

Description

Thanks for the great library, as part of publish the app in store, we have scan the APK with veracode and found below issue, It will be great if these security issues also addressed.

FusedLocationProvider.java

Line no: 223

Description: Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().

Remediation: If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.

Reproducible Demo

Provide a detailed list of steps that reproduce the issue.

Build a release APK
Scan with Veracode

Expected Results

Reported issues should not appear in the veracode

Agontuk / react-native-geolocation-service